Skip to content

Instantly share code, notes, and snippets.

# Remove one account from Owner and all non-inherited Allow ACEs on all computers throughout the domain
# 1. Replace "DomainJoin" with the unwanted account's name
# 2. Run script
$ErrorActionPreference = "Stop"
# Old owner
$OldOwnerSAM = Get-ADUser "DomainJoin" | select -ExpandProperty SamAccountName
# New owner
@martinsohn
martinsohn / ConvertFrom-BHJSON.ps1
Last active July 2, 2024 08:45
ConvertFrom-BHJSON
# See examples here: https://twitter.com/martinsohndk/status/1783470845119152340
# Add the below to your PowerShell profile
# 1. In PowerShell, run: Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser -Force
# 2. In PowerShell, run: if(!(Test-Path $PROFILE)){New-Item $PROFILE -ItemType File -Force}; notepad.exe $PROFILE
# 3. Add the function to your PowerShell profile
# 4. (Optional) Change the default behaviour from Clipboard to some other in 'DefaultParameterSetName'
# 5. Start a new PowerShell instance
# 6. Export JSON from BloodHound
# 7. Convert the JSON with 'ConvertFrom-BHJSON' or the alias 'cfb'
@martinsohn
martinsohn / gist:3f6122c7486ca3ffcaa444772f1a35f2
Last active September 30, 2024 10:15
Generate Cypher from AzurePrivilegedIAM Tier Zero
$Roles = IRM "https://github.com/Cloud-Architekt/AzurePrivilegedIAM/raw/main/Classification/Classification_EntraIdDirectoryRoles.json"
$T0RolesIDs = ($Roles | ? {$_.Classification.EAMTierLevelTagValue -eq 0}).RoleId -join "','"
$Cypher = "// From 'AzurePrivilegedIAM'. Generated $(Get-Date -F yyyy-MM-dd)`nMATCH (n:AZBase) WHERE n.templateid IN ['$T0RolesIDs'] AND NOT coalesce(n.system_tags, '') CONTAINS 'admin_tier_0' = true RETURN n"
$Cypher | Set-Clipboard
↓ GENERATES CYPHER ↓
// From 'AzurePrivilegedIAM'. Generated 2024-03-13
MATCH (n:AZBase) WHERE n.templateid IN ['9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3','58a13ea3-c632-46ae-9ee0-9c0d43cd7f3d','ffd52fa5-98dc-465c-991d-fc073eb59f8f','8424c6f0-a189-499e-bbd0-26c1753c96d4','1d336d2c-4ae8-42ef-9711-b3604ce3fc2c','5b784334-f94b-471a-a387-e7219fc49ca2','c4e39bd9-1100-46d3-8c65-fb160da0071f','25a516ed-2fa0-40ea-a2d0-12923a21473a','0526716b-113d-4c15-b2c8-68e3c22b9f80','aaf43236-0c0d-4d5f-883a-6955382ac081','3edaf663-341e-4475-9f94-5c398ef6c070','b0f54661-2d74-4c50
@martinsohn
martinsohn / gist:14726d6f49b86284ab9e7518df82307d
Last active July 20, 2021 18:27
Advice for SAM and SYSTEM readable by BUILTIN\Users
# Check if system is vulnerable. Run as Administrator with PowerShell. Requires the VSS service to be running.
## Get all shadow copies
$ShadowCopies = (Get-WMIObject -Class Win32_ShadowCopy).DeviceObject
## Check for vulnerable permissions of shadow copy files
("SAM","SYSTEM") | % {
foreach ($ShadowCopy in $ShadowCopies) {
if ((.\icacls.exe $env:windir\System32\config\$_) -match "BUILTIN\\Users") {
Write-Host "Current system is vulnerable! '$_' is readable by 'BUILTIN\Users'. You should delete and disable Shadow Copies." -ForegroundColor Red
return
@martinsohn
martinsohn / edgemax-ad-blocker-dnsmasq.md
Last active April 17, 2024 13:55 — forked from bsodmike/edgemax-ad-blocker-dnsmasq.md
HOWTO Ubiquity EdgeMAX Ad & Malware Blocking Content Filtering using EdgeRouter as dnsmasq server

Ubiquity EdgeMAX Ad & Malware Blocking Content Filtering using EdgeRouter

NB: I am not using this setup anymore, and will not update the config and code if it breaks. I recommend Pi-hole instead, which gives many features such as web UI, statistics, DNS-over-HTTPS, and definitely better written code ;)

This will show you how to use your EdgeRouter as a local DNS server and blocking DNS queries to domains that hosts ads and malware.

The blocklist used is: